How is security provided in the radio access network of 5G system? That is the question we will answer in this video. Here you can see a simple representation of the whole 5G network with the different sub-domains. In Week 4, we looked at ensuring the security of the network access. For example, we had to prevent Wile E Coyote from listening to the Road Runners conversations. We needed different keys for each user, for each SIM card. Here, we want to make sure the network domain is secure, in other words, to allow the network nodes to exchange signaling and user plane data securely. The aim is to fully protect all the operator's exchanges from external eavesdropping. We look more specifically at the case of exchanges within a 3GPP access network, and also to ensure the security of links with the core network. This is a simplified version of the 5G architecture with one gNB, which could be connected to another gNB communicating with both an AMF and a UPF. The various reference points marked here are non-SBI interfaces. Security is key. For example, the operator might install specific optical fiber to connect the gNB to the AMF. In this case, there is a dedicated transport link and security is ensured at a physical level because it's not possible to access the optical fiber without being detected. The operator might choose to use security at the physical level. More often, there is an interconnection with other networks or, for example, the possibility for remote maintenance to access a gNB. So a cryptographic solution is needed to ensure security. In this case, asymmetric cryptography is used. Each network function, the UPF, for example, is provided with a private key and a public key. We need to ensure that the public key and the identity presented by the UPF are trustworthy. This is why we use a "Public Key Infrastructure", or PKI, which is based on a certificate authority. Certificates are created to ensure that the identity of the gNB and the public key it presents are trustworthy. This is done through a certificate format specified by the International Telecommunication Union in the X.509 recommendation. For non-SBI interfaces, there is first of all certificate based authentication. Then security is provided at the network layer by "Internet Protocol Security" or IPsec. IPsec is very adaptable and is used to establish security association. It makes sure that we have the same encryption key and the same key for integrity checks in NF A-1 and NF A-2. We use the "Internet Key Exchange v2" protocol or IKEv2. Once we have a common encryption key, we can proceed with secure transmission. We use ESP or "Encapsulating Security Payload". ESP is specified by the IETF in RFC 4303. Tunnel mode is used. We take the IP packet to be transmitted and we put it in another IP packet. According to the principle of encapsulation, this IP packet has a clear header, so the routers can route the packets easily by analyzing the destination address. The internal packet is encrypted to ensure confidentiality. An ESP-specific header is added, including a counter, and the whole encrypted packet and the added header are checked for integrity by adding a MAC authentication code, which is shown here. The security services are authentication, confidentiality, thanks to packet encryption, integrity, thanks to the control mechanism, and anti-replay protection, thanks to a counter in the ESP header. The operator's network can be protected by using IPsec. A security domain is defined as a network or a subnetwork with the same level of security and use of security services. A security domain is managed by a single administrative authority. A security domain may be the entire access network of a 5G network, or there may be organization of regional areas, and each regional area may constitute a security domain. In order to protect a security domain while allowing interconnections, we define a security gateway (SEG). This security gateway communicates in IPsec with the different elements, and it also establishes a secure tunnel with other security gateways. The security gateway enforces a filtering policy and has firewall functions. There can be several security gateways in the same security domain to avoid single points of failure, and also for load-sharing purposes. Of course, the operator has to physically secure the SEG gateway itself. In conclusion, security in the network domain for non-SBI interfaces occurs in the network layer. It is based on the standard IETF toolkit and on an asymmetric cryptography mechanism. We use a public key infrastructure or PKI, and a certificate mechanism. We use IPsec, and more precisely IKEv2 for security association and ESP to encrypt the packets, and we use a tunnel mode. Each packet is put in an encrypted protected packet. The advantage of working at the network level is that the IP packet can carry a UDP datagram or TCP segments or signaling message that is in SCTP. Security is ensured regardless of the transport protocol used. A "SEcurity Gateway" or SEG is defined to provide a secure interconnection with all other security domains. The security services are authentication, confidentiality, integrity, and anti-replay protection. Everything we've seen applies to 4G networks as well. There is no major difference between 4G and 5G in terms of this IPsec-based security and the protocol that depend on it.
